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Purpose of This Guide: 


This guide provides security 
practitioners with an understanding 
of the value in protecting cloud 
object storage services. It outlines the 
importance of protecting business 
processes and data across cloud- 
native storage services, the value of 
having Trend Micro Cloud One™ — File 
Storage Security in an organization’s 
architecture, and how to get started. 


Increasing Cloud Service 
Adoption 


Modern application development 
strategies are becoming more 
prevalent amongst companies looking 
to improve the speed of deployment 
and cohesive application ecosystems. 
Research and advisory firm, ESG, 
recently conducted a survey that 
outlined a “Cloud-First Policy”, which 
indicated 39% of the companies 
surveyed deploy new applications 
using public cloud services—unless 
there is a compelling case to deploy 


using on-premises resources.* 





Cloud storage is a major component of creating a 
cloud-native application, as it affects performance, 
cost, scalability, availability, manageability, 
durability, and security. For example, when 

Virgin Trains built a digital train schedule and 
ticket transaction system, it used an Alexa Skill 

for natural language processing and a decoupled 
Amazon Web Services (AWS) backend. The idea 
was to emulate a real-life train schedule query 

and ticket purchase, allowing a user to simply 

say “Alexa, launch Virgin Trains”. This requires 
several external services and the Amazon API 
Gateway, using REST calls for communication to 
the appropriate AWS Lambda function and booking 
engine, then replying to the user with train times 
and ticket availability. Amazon Simple Storage 
Service (Amazon S3) buckets come into play 

when the ticket is purchased by the customer and 
secured through Amazon Pay. The ticket is built and 
stored as a PDF in Amazon S3, and an email is sent 
out to the customer immediately via an Amazon 
Simple Notification System (SNS).? 


Similar to Virgin Trains, organizations across the 
globe are using cloud services in their own digital 
transformation for different use cases such as 
storing customer data, publishing static websites, 
keeping backups safe, storing objects for batch 
processing, and archiving. 


With the increase in cloud-native application 
development and the importance of file upload and 
transfer, file storage services are a logical choice 
for modern business requirements. However, as 
companies incorporate more and more cloud file/ 
object storage services into their cloud-native 
applications, it also creates a new attack vector. 
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The use of Amazon S3 buckets and Microsoft Azure 
Blob storage has increased in popularity due to the 

ease of deployment and simplicity for cloud data 
storage. However, organizations need to consider risk 
management to protect objects from malicious threats. 
Security controls for data in Amazon S3 buckets or Azure 
Blobs should always be a top priority for organizations, 
as data is a company's most valuable resource. Cloud 
providers have created best practice frameworks to help 
customers better understand how to configure their 
cloud services. 


The AWS and Azure Well-Architected Framework both 
have excellent guidelines and recommendations on how 
to protect your data, such as enabling encryption and 
logging. In addition, Amazon Macie and Microsoft Azure 
Information Protection (AIP) provide data security and 
privacy services for your Amazon S3 buckets or Azure 
Blobs. 


However, malware can still be a critical security concern. 
Because buckets are used in application workflows, 
they allow quick and automated file uploads and 
growing storage needs, which can be difficult to secure. 
Trend Micro complements Amazon Macie and Azure 
Information Protection, helping development and 
security teams mitigate the threat of malware in files 
uploaded to your cloud storage units. 


Organizations are using several different tools and 
processes to secure their Amazon S3 buckets and 
Azure Blobs. In some cases, these solutions often rely 
on an Amazon Elastic Compute Cloud (Amazon EC2) 
instance, legacy agent designs, and require additional 
infrastructure. To ensure all the files are scanned and 
quarantined, when needed, security practitioners need 
cloud-native solutions that are purposely designed 

and deployed for object storage services, require low 
maintenance costs to operate, and add minimal impact 
to the application development life cycle. 
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What Should CISOs Consider? 


Chief Information Security Officers (CISOs) are 
building more visibility and protection into their 
strategic plans for cloud-native services. A big 
concern for ClSOs is the movement of customer 
data from old architectures to new modern 
workflows. This change in process can impact 
an organization’s sprawling compliance and 

risk exposure, with possible legal and financial 
penalties. Not understanding how data is being 
saved or stored in your organization can lead 

to improper adherence to internal policies and 
violations of industry laws. 


For many ClSOs, object storage systems will be 
at the forefront of modern cloud-native storage 
designs within their organizations. Organizations 
who need to remain compliant with 
requirements such as PCI, HIPAA, and FedRAMP, 
must look at the overall workflow of these 
systems to be sure security is being adhered to. 
This challenge represents not only a technical 
obstacle, but sometimes a financial issue, since 
most of the compliance requirements will result 
in a business disruption. 


For example, an insurance company decides to 
modernize its online claim filing application by 
automating the workflow, allowing customers 
to upload insurance claim documents, images, 
or video for analysis, as part of the review 

and approval. If the files contain malware and 
spread throughout the organization or back 

to the customer, there are many impacts the 
insurance company’s cloud infrastructure, 
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secu rity an d au d it controls wi | | fa ce Which of the following types of cloud-native application security controls are most 
A f 


important? (Percent of respondents, N=371, five responses accepted) 


Luckily, not only can these actions 


threats, like ransomware, the company Secrets management 15% 
could be hit with an unrecoverable blow Container relationship mapping 14% 


be avoided by applying preventive Malware detection and prevention 
measures, like scanning each file that Software vulnerability scanning of production containers and server workloads 
System activity recording for incident response 
reaches your cloud storage bucket or 
Software vulnerability scanning of registry-resident container images 
blob, In this case, the organization could Network segmentation and monitoring of inter-container and workload. -E 
reduce the time to detect malware. API vulnerability management 
Software vulnerability scanning in the build pipeline 
When there is a compliance violation E E ET AE 
and the mishandling of data, the Discovery, inventory, and auditing of APIs in mobile and cloud native apps 
organization can be fined asa result Access control and auditing of management actions 
of data process, but sometimes the SEa eee ee 
, 
Authentication and privilege management of API calls 
consequences are far beyond that. For ° 
. . : Configuration hardening based on standard benchmarks 
example, if an organization was to leave l , 
Behavior profiling, monitoring, and anomaly detection 
Amazon s3 buckets exposed to specific Code scanning and composition analysis 
n 15%] 
14% | 
EEA 


File integrity monitoring 13% 


to its reputation and its data. 


Source: Enterprise Strategy Group 
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Security practitioners must consider configuring their object storage services to avoid leaky 
buckets or blobs or authentication breaches of objects within the buckets or blobs themselves. 
They must also consider guarding against what can get stored in those buckets or blobs, and how 
bad actors could infiltrate the organization with malware. 


Nowadays, ransomware is one of the most common threat techniques attackers use for easy and 
high financial returns. In a recent report from ESG, Leveraging DevSecOps to Secure Cloud-Native 
Applications, they illustrate how ransomware continues to be a top concern for companies.1 
Uploading files, such as sensitive PDFs, customer transaction forms, or media video formats, to 
your cloud storage container as part of your application processes and complex downstream 
workflows can pose a security risk if proper protection is not utilized. 


Further methods to secure object storage locations include adding an additional layer of scanning 
directly in the application at runtime. This approach helps ensure that when an application 
receives a file to store in the Amazon S3 bucket, for example, that the file will be scanned before it 
is allowed into the bucket—the same process is valid when a file is leaving this environment. 








Introducing Trend Micro Cloud One™ — 


File Storage Security 


File Storage Security helps ensure your 
Amazon S3 buckets and Azure Blobs are free 
from malware by deploying cloud-native 
security that can be integrated into your 
custom Amazon S3 or Azure Blob workflows. 
Trend Micro’s world-class threat research 
delivers object storage security as files are 
uploaded into your cloud storage. File Storage 
Security protects small and large files for 
complete coverage across business processes 
and applications where files of any type might 
be used. File Storage Security also maintains 
data sovereignty by keeping the files and data 
within your AWS or Azure account, avoiding 
data loss and enabling optimal compliance 
and mitigation of regulatory risks. 


Application File Storage 


Security Security 


Container 
Security AWS O Google cloud 


EE Microsoft Azure Vmware 


Workload Network Open Source Security 
Security Security o snyk 


File Storage Security is part of the Trend Micro 
Cloud One™ security service platform, helping 
your organization to build and run applications 
securely by offering controls that work across 
your existing infrastructure or modern code 
streams, development toolchains, and multi- 
platform requirements. 
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File Storage Security is backed by Trend 
Micro Research, which continuously 
monitors and collects threat data from 
across the globe. This is done by employing 
advanced detection analytics to immediately 
block attacks before they can harm your 
organization. 


Our threat researchers and data scientists 
use the latest techniques to analyze data 

and identify threats in real time. This 

is achieved through augmented cyber 
intelligence—combining the focused findings 
from artificial intelligence (Al) and machine 
learning with knowledge from threat 

experts who are constantly researching the 
latest tactics, techniques, and procedures 
(TTPs) used by cybercriminals. We rapidly 
and accurately gather this wealth of global 
threat intelligence, using automated security 
analytics to customize protection against the 
threats that are most likely to impact you. 


Our threat intelligence delivers actionable 
global threat insights to all Trend Micro 
solutions and services, providing the most 
comprehensive coverage in the industry. 
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Understanding How Trend Micro Can Help Secure Your Object Storage 


There are two main ways to use Trend Micro Cloud One - File Storage Security in your AWS or 
Azure infrastructure: 


File Upload Scan—Any cloud-native e Automated Workflow—Development teams 
application that uses the power of the leverage event-driven designs with Amazon 
cloud to provide features integrated with S3 and Azure to automate the processing 
Amazon S3 buckets or Azure Blobs could of data uploaded to a bucket or blob. File 
be exposed to malware. File Storage Storage Security was designed with this 
Security allows customers to integrate architecture in mind, allowing development 
scan capabilities directly to their AWS teams to seamlessly integrate file scanning 
or Azure accounts. This ensures all of into their automated workflow. 

the files you receive in your storage unit 

from external sources can be scanned 

for malware before your application can 

consume the data. 





How to Get Started with File Storage Security 


Architecture: 


File Storage Security’s architecture was built to be a simple-to-understand way to monitor all 
of the buckets or blobs in your environment. For example, as soon as a new file is uploaded to 
the bucket, this will generate a SQS message inside your AWS account that will trigger an AWS 
Lambda function, and similarly using Azure functions. 


The function will execute the scan and tag the file as malicious or clean, depending on the scan 
result. It is also possible to connect plugins to perform additional actions, for example, as soon 


the file is tagged as malicious, the plugin moves the tagged file to a quarantine bucket. 


How the process works: 


File Storage Security 


A Ora s 





> © > =) —— Ore — 
Upload file to Scanner triggered Customizable Connect with 
cloud storage automatically plugins downstream 


containers workflow 
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Digging a little deeper into the architecture details, the overall deployment is made up 
of two different stacks: 


Storage stack: This stack is responsible for accepting the notification for the Amazon S3 bucket 
or Azure Blob, as well as sending newly uploaded files to the scanner stack for the security 
scan. After the scan is complete, an Amazon SNS topic or Azure post scan action is published 
and the file is tagged as “malicious” or “clean” —additional plugins are available to add more 
functionality to the stack. 


Scanner stack: This stack is responsible for executing the scan and publishing the results to the 
Amazon SNS ScanResultTopic or Azure ScanResultTopic. When the scanner stack receives the 
request from the storage stack, its processes it and uses an AWS Lambda or Azure function to 
execute the scan. Like many Trend Micro technologies, File Storage Security can leverage Trend 
Micro™ Smart Protection Network™ for the latest threat information. 








ile Storage Security File Storage Security 
Storage Stack Scanner Stack 


S3 bucket to scan BucketListenerLambda sqs 





PostScanActionTagLambda 
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Trend Micro domain 
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See File Storage Security for Azure Blob storage architecture here. 


Let's use AWS as the setup example (Azure Blob support will follow similar Microsoft Azure 
Resource Manager (ARM) template processes available here). In order to launch both stacks, 
you must leverage the AWS CloudFormation Templates: FSS-Scanner-Stack.template and FSS- 
Storage-Stack.template. We also offer an all-in-one stack that launches both, called FSS-All-In- 
One.template. To help security and DevOps teams automate their workflows with File Storage 
Security, all CloudFormation templates are available in our GitHub repository. 


For additional plugins, we have created a separate GitHub repository to enable you to add more 
functionality, including post-scan actions to permit files to either be pass or be quarantined. 
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The deployment process was developed to be seamless and get you up and running quickly. All 
you need to do is to connect to your File Storage Security account, launch the stack that will 
deploy the CloudFormation template to your AWS account, and as soon that is deployed, copy 
the ARNs from the Output tab to the File Storage Security console. 


Deploy All-in-One Stack 





Before, during, and after the CloudFormation template is deployed, you'll be able to check 
all of the details about what is being deployed to your AWS account. 
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FileStorageSecurity-All-In-One-Stack Delete | [ Update || stack actions + | create stad = 


Stack info Events Resources | Outputs Parameters Template | Change sets 





Overview 





Created time 
2020-07-12 1036:35 UTC+0400 





As soon as everything is finished, you’Il be able to run a test by uploading a file to your 
chosen Amazon S3 bucket. In this case, we have a clean file that you will be able to see the 
following tags being applied to. When a malicious file is exposed, you will see the key “fss- 
scan-result” as malicious. 


Further monitoring and awareness can be seen within the File Storage Security dashboard. 
This provides visibility into the history and current state of files that contain malware in your 
storage units, which can impact other workflows. 





It is that easy and fast to protect your Amazon S3 buckets or Azure Blob storage. By deploying 
File Storage Security, you’ll be able to detect threats as soon as they land in your buckets 

or Azure Blobs. If you want to go one step further, you can opt to deploy additional plugins. 
This will allow for added capabilities, like automated quarantining of files tagged to another 
bucket, using the File Storage Security API to integrate directly to your application workflow 
and automate the security provisioning for new buckets or Azure Blobs. 
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Why Trend Micro for Your File Storage Security: 


Digital transformation is dramatically 
reshaping industries as organizations look 
to improve performance and drive better 
business goals. However, many companies, 
big and small, find the accelerated pace to 
be a major challenge for their cybersecurity 
needs. Some of these challenges range from 
rising cybersecurity technology costs to a lack 
of visibility. On top of that, organizations are 
faced with not being able to properly meet 
compliance or reduce security risks across 
multiple levels of business. 


With File Storage Security, your security 
teams can be assured that your interests will 
be protected with modern, sophisticated 
malware scanning for malware, worms, 
Trojans, spyware, and more. File Storage 
Security helps your organization meet 
compliance through an easy-to-deploy and 
simple-to-manage solution, designed to 
provide greater security control for your 
cloud-native applications and object storage 
requirements. Get started with File Storage 
Security and embrace the simplicity of cloud- 
native file protection, so you can store, 


retrieve, and share your data with confidence. 
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ervices with Trend Micro Cloud One™ - File Storage Security 





Trend Micro helps to make the world safe 

for exchanging digital information today and 
in the future. Trend Micro delivers complete 
coverage for your modern and evolving hybrid 
and multi-cloud workload and application 
security requirements —from build time to 
runtime. 


Backed by 24/7 global threat research and 
extensive support, you can enjoy peace of 
mind as you design and expand your hybrid 
and multi-cloud application footprint. We 
help security teams reduce the constraints 

on development teams and the operational 
complexities associated with the growing 
threat landscape by enabling better and faster 
protection that is integrated into your entire 
application life cycle. 


Get more information on 
Trend Micro Cloud One” — File Storage Security 


Securing Your 


(B) TREND 
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Connected World 


